Independent Data Protection Authorities: Indispensable Watchdogs of the Digital Age

Meeting of the Article 29 Working Party

Brussels, 7 December 2011

Ladies and gentlemen,

I am delighted to be with you today to discuss the reform of the European Union data protection laws.

Data protection is a fundamental right in Europe. It is enshrined in the Charter of Fundamental Rights of the European Union and in our Treaty. The Treaty also underlines that the role of independent data protection authorities (DPAs), your authorities, is to control the compliance with data protection principles.

Your important role is recognised under Article 29 of the current Data Protection Directive. Supervisory authorities in Member States have a key role in developing, defending and enforcing individual's data protection rights. They respond to complaints and investigate cases. They make public companies and public institutions aware of their rights and obligations related to personal data protection.

Through their action, data protection authorities also shape technology development. They audit data controllers to identify compliance deficits. They ensure that companies put their operations in line with data protection laws.

As the world becomes more connected in this digital age, trust has become increasingly important. Data protection authorities are the watchdogs of the digital age. Your decisions and opinions, either individual or collective, in the Article 29 Working Party, make headlines all over the world.

Building on this practical experience in Member States, you also give valuable advice to the legislator. This is one of the main tasks of the Working Party.

In December 2009 the Working Party issued an important document – an opinion on the future of privacy. It stressed the need for an innovative reform. I got your message. My goal is to encourage innovation to foster trust and growth in digital society. I aim for a high level of data protection and strong fundamental rights.

The Working Party has provided helpful input to our reform. I am especially grateful to Jacob Kohnstamm, who worked tirelessly with his staff to ensure that input would be delivered on time. I am also grateful to Peter Hustinx and his team who have helped a lot to shape our reform proposals.

The Working Party issued several opinions and advice papers on the reform, providing us with detailed input on several aspects of data protection in the digital age. Each of these papers helped us to find the right balance in our proposal on some difficult issues such as sensitive data, consent, right to be forgotten, and the cooperation between supervisory authorities.

I particularly thank you for the very detailed letter on the crucial issues of data protection authorities' independence and their cooperation. I will come to this in a moment.

Let me first explain how I want to strengthen data protection by the choice of a type of legal instrument, by new data protection rights, and by new tools to ensure compliance with the new law.

You are aware that I want one single data protection law in Europe. I believe that for a high level of protection, we need a uniform and coherent law directly applicable in all Member States. In a recent Eurobarometer, a large majority of respondents said that they should have the same rights and protection, everywhere in the EU.

As regards the law enforcement sector, where there are strong national traditions. I want to make progress by allowing Member States to implement European data protection rules under the scrutiny of the Court of Justice of the European Union.

You have always emphasised in your formal opinions the need to put the individual in control of their own data. This is the guiding principle of my reform:

First, I want to enhance transparency. Individuals will get more rights that will be enforceable in the online environment. At the same time those who are in control of their data will have stricter obligations. In addition, the information they provide shall be given in plain and clear language.

Second, I want to strengthen the principles of data minimisation and privacy by design. Data controllers, when they design or introduce a product or service, will have to make sure that the service does not collect more data than necessary and that data protection safeguards are well in place.

Third, my proposal includes the right to be forgotten and the right to data portability. The internet has an almost unlimited search and memory capacity. So even tiny scraps of personal information can have a huge impact, even years after they were shared or made public. Therefore I want to empower Individuals to delete their personal data any time they want, where there are no other legitimate grounds for a controller to keep their data any longer.

Fourth, I consider that particular attention should be given to children. They are particularly vulnerable and we must ensure that minors are adequately protected against abusive profiling or tracking on the internet.

I also want to drastically reduce the ex-ante administrative burden. This means no more compulsory notifications on personal data processing. I plan to limit prior checks only to cases where they bring real added value.

In return, and to make sure that data protection is not undermined, I propose to introduce privacy impact assessments for risky processing. The data controller will have to properly manage data protection risks.

I also want to extend data breach notifications to all sectors. Data controllers will have to report security breach incidents to data protection authorities and to the individuals whose personal information has been compromised.

I intend to strengthen data protection officers in the public sector, in large companies and in companies doing risky processing. They will be your point of contact. They can also play a useful role in awareness raising campaigns.

I will introduce binding corporate rules. I think it is very important that more companies have access to these rules so that international data transfers become easier than they are today.

In the reform proposal, I will also encourage best practice codes and certification schemes.

I believe all these innovations will make it easier for you to investigate complaints, and you will be able to focus on ensuring compliance rather than dealing with mountains of notifications.

Now, let me turn to other very important aspects of the reform aimed at improving the efficiency of supervisory authorities. I believe that these authorities must be significantly strengthened and their powers should be aligned.

The main characteristic of a strong data protection authority is its independence. This is enshrined in the Treaty and has been made clear in a recent judgement of the Court of Justice of the European Union. In the Commission proposal, I will clarify practical aspects of independence, including the appointment of the members of the authority, recruitment of staff, and an independent budget. You will find in my proposals many of your suggestions which you made over the past months, based on your very own personal experience.

Data protection authorities in Member States need to have strong and aligned powers. I want to strengthen their competences so that they can effectively use administrative sanctions whenever there is a breach of the law.

You need to be able to carry out investigations and if necessary ban unlawful processing. You should have the right to bring legal action to enforce data protection rules. These responsibilities and powers are essential for the credibility and trust between data protection authorities in different Member States.

A strong mandate, adequate resources and clear rules will make your work easier. But that is not enough.

On some occasions, several data protection authorities in different Member States are in charge of what is effectively the same case. This can lead to a waste of time and resources, and to parallel investigations without coordination. This occurs in cross border cases, some of which can be highly visible as they involve a complex societal debate, sometimes even reaching beyond EU borders, and yet, despite the similarities, the regulatory outcome is quite different.

On other occasions, the problem is quite the opposite. There is no action at all, even if a data protection noncompliance is flagrant and concerns several Member States. This is the case when a national data protection authority of a Member State in which an internet company from a third country is established does not act at all, in spite of serious data protection concerns. Currently, there is no mechanism for the authorities from other Member States to force this authority to act.

These two examples show that fragmented enforcement is bad enforcement, in particular when you face web giants. It is not what our citizens expect from data protection law and from the authorities established to enforce this law.

We therefore need better coordination inside the EU. Three conditions must be met to make this possible. The first is that there must be one single lead authority responsible for the action in a particular case. The second is that other authorities from other Member States should have the means to require the leader to act, to accept joint actions, and to discuss the remedy. The third is that Article 29 Working Party must have an important role in this mechanism.

When the reform will enter into force, a new European Data Protection Board will be created from the current Article 29 Working Party. Given its enhanced future responsibilities the Board should have an efficient and dedicated secretariat. How to do it? I think that this secretariat should be hosted by the European Data Protection Supervisor's office which would be a cost-effective solution drawing upon the ready-made experience of that office.

Last but not least, let me stress that the European Commission has neither the intention nor the means at its disposal to take over your role as interpreters and enforcers of data protection rules on the ground, or as decision-makers on individual cases. On the contrary, with the reform, you will have a fully independent secretariat at your disposal and better tools to develop a common legal doctrine.

We are now very close to having a new legal framework on the table. You have played a major role in making it happen. And you will of course continue to play a key role in the further legislative process.

The new set of rules must be safe, simple and sound. Once it becomes EU law, you will bring it to life, make it part of our daily work and embed it in our national and local data protection culture. I am sure I can count on you now and in the future to be part of this important mission! Our citizens expect nothing less from all of us: to stand up for their right to data protection. And to enforce it strongly and credibly, also in a changing and increasingly globalised world.